1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<!-- This manual is last updated 4 March 2015 for version
3.5.3 of GnuTLS.
Copyright (C) 2001-2015 Free Software Foundation, Inc.\\
Copyright (C) 2001-2015 Nikos Mavrogiannopoulos
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
any later version published by the Free Software Foundation; with no
Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A
copy of the license is included in the section entitled "GNU Free
Documentation License". -->
<!-- Created by GNU Texinfo 6.1, http://www.gnu.org/software/texinfo/ -->
<head>
<title>GnuTLS 3.5.3: Verification using PKCS11</title>
<meta name="description" content="GnuTLS 3.5.3: Verification using PKCS11">
<meta name="keywords" content="GnuTLS 3.5.3: Verification using PKCS11">
<meta name="resource-type" content="document">
<meta name="distribution" content="global">
<meta name="Generator" content="makeinfo">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link href="index.html#Top" rel="start" title="Top">
<link href="Function-and-Data-Index.html#Function-and-Data-Index" rel="index" title="Function and Data Index">
<link href="index.html#SEC_Contents" rel="contents" title="Table of Contents">
<link href="X_002e509-certificates.html#X_002e509-certificates" rel="up" title="X.509 certificates">
<link href="OpenPGP-certificates.html#OpenPGP-certificates" rel="next" title="OpenPGP certificates">
<link href="Verifying-a-certificate-in-the-context-of-TLS-session.html#Verifying-a-certificate-in-the-context-of-TLS-session" rel="prev" title="Verifying a certificate in the context of TLS session">
<style type="text/css">
<!--
a.summary-letter {text-decoration: none}
blockquote.indentedblock {margin-right: 0em}
blockquote.smallindentedblock {margin-right: 0em; font-size: smaller}
blockquote.smallquotation {font-size: smaller}
div.display {margin-left: 3.2em}
div.example {margin-left: 3.2em}
div.lisp {margin-left: 3.2em}
div.smalldisplay {margin-left: 3.2em}
div.smallexample {margin-left: 3.2em}
div.smalllisp {margin-left: 3.2em}
kbd {font-style: oblique}
pre.display {font-family: inherit}
pre.format {font-family: inherit}
pre.menu-comment {font-family: serif}
pre.menu-preformatted {font-family: serif}
pre.smalldisplay {font-family: inherit; font-size: smaller}
pre.smallexample {font-size: smaller}
pre.smallformat {font-family: inherit; font-size: smaller}
pre.smalllisp {font-size: smaller}
span.nolinebreak {white-space: nowrap}
span.roman {font-family: initial; font-weight: normal}
span.sansserif {font-family: sans-serif; font-weight: normal}
ul.no-bullet {list-style: none}
body {
margin: 2%;
padding: 0 5%;
background: #ffffff;
}
h1,h2,h3,h4,h5 {
font-weight: bold;
padding: 5px 5px 5px 5px;
background-color: #c2e0ff;
color: #336699;
}
h1 {
padding: 2em 2em 2em 5%;
color: white;
background: #336699;
text-align: center;
letter-spacing: 3px;
}
h2 { text-decoration: underline; }
pre {
margin: 0 5%;
padding: 0.5em;
}
pre.example,pre.verbatim {
padding-bottom: 1em;
border: solid #c2e0ff;
background: #f0faff;
border-width: 1px 1px 1px 5px;
margin: 1em auto;
width: 90%;
}
div.node {
margin: 0 -5% 0 -2%;
padding: 0.5em 0.5em;
margin-top: 0.5em;
margin-bottom: 0.5em;
font-weight: bold;
}
dd, li {
padding-top: 0.1em;
padding-bottom: 0.1em;
}
div.float {
margin-bottom: 0.5em;
text-align: center;
}
table {
text-align: left;
margin-left:auto;
margin-right:auto;
border-spacing: 7px;
width: 50%;
}
th {
padding: 0;
color: #336699;
background-color: #c2e0ff;
border: solid #000000;
border-width: 0px;
margin: 1em auto;
text-align: center;
margin-left:auto;
margin-right:auto;
}
td {
padding: 0;
border: solid #000000;
background-color: #f0faff;
border-width: 0px;
margin: 1em auto;
text-align: left;
margin-left:auto;
margin-right:auto;
padding-left: 1em;
}
dl {
text-align: left;
margin-left:auto;
margin-right:auto;
width: 50%;
padding-left: 1em;
border: solid #c2e0ff;
background: #f0faff;
border-width: 5px 1px 1px 1px;
margin: 1em auto;
}
-->
</style>
</head>
<body lang="en">
<a name="Verification-using-PKCS11"></a>
<div class="header">
<p>
Previous: <a href="Verifying-a-certificate-in-the-context-of-TLS-session.html#Verifying-a-certificate-in-the-context-of-TLS-session" accesskey="p" rel="prev">Verifying a certificate in the context of TLS session</a>, Up: <a href="X_002e509-certificates.html#X_002e509-certificates" accesskey="u" rel="up">X.509 certificates</a> [<a href="index.html#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="Function-and-Data-Index.html#Function-and-Data-Index" title="Index" rel="index">Index</a>]</p>
</div>
<hr>
<a name="Verifying-a-certificate-using-PKCS-_002311"></a>
<h4 class="subsubsection">4.1.1.9 Verifying a certificate using PKCS #11</h4>
<a name="index-verifying-certificate-with-pkcs11"></a>
<p>Some systems provide a system wide trusted certificate storage accessible using
the PKCS #11 API. That is, the trusted certificates are queried and accessed using the
PKCS #11 API, and trusted certificate properties, such as purpose, are marked using
attached extensions. One example is the p11-kit trust module<a name="DOCF8" href="#FOOT8"><sup>8</sup></a>.
</p>
<p>These special PKCS #11 modules can be used for GnuTLS certificate verification if marked as trust
policy modules, i.e., with <code>trust-policy: yes</code> in the p11-kit module file.
The way to use them is by specifying to the file verification function (e.g., <a href="Core-TLS-API.html#gnutls_005fcertificate_005fset_005fx509_005ftrust_005ffile">gnutls_certificate_set_x509_trust_file</a>),
a pkcs11 URL, or simply <code>pkcs11:</code> to use all the marked with trust policy modules.
</p>
<p>The trust modules of p11-kit assign a purpose to trusted authorities using the extended
key usage object identifiers. The common purposes are shown in <a href="#tab_003apurposes">Table 4.4</a>. Note
that typically according to [<em>RFC5280</em>] the extended key usage object identifiers apply to end certificates. Their
application to CA certificates is an extension used by the trust modules.
</p>
<div class="float"><a name="tab_003apurposes"></a>
<table>
<thead><tr><th width="20%">Purpose</th><th width="20%">OID</th><th width="60%">Description</th></tr></thead>
<tr><td width="20%">GNUTLS_KP_TLS_WWW_SERVER</td><td width="20%">1.3.6.1.5.5.7.3.1</td><td width="60%">The certificate is to be used for TLS WWW authentication. When in a CA certificate, it
indicates that the CA is allowed to sign certificates for TLS WWW authentication.</td></tr>
<tr><td width="20%">GNUTLS_KP_TLS_WWW_CLIENT</td><td width="20%">1.3.6.1.5.5.7.3.2</td><td width="60%">The certificate is to be used for TLS WWW client authentication. When in a CA certificate, it
indicates that the CA is allowed to sign certificates for TLS WWW client authentication.</td></tr>
<tr><td width="20%">GNUTLS_KP_CODE_SIGNING</td><td width="20%">1.3.6.1.5.5.7.3.3</td><td width="60%">The certificate is to be used for code signing. When in a CA certificate, it
indicates that the CA is allowed to sign certificates for code signing.</td></tr>
<tr><td width="20%">GNUTLS_KP_EMAIL_PROTECTION</td><td width="20%">1.3.6.1.5.5.7.3.4</td><td width="60%">The certificate is to be used for email protection. When in a CA certificate, it
indicates that the CA is allowed to sign certificates for email users.</td></tr>
<tr><td width="20%">GNUTLS_KP_OCSP_SIGNING</td><td width="20%">1.3.6.1.5.5.7.3.9</td><td width="60%">The certificate is to be used for signing OCSP responses. When in a CA certificate, it
indicates that the CA is allowed to sign certificates which sign OCSP reponses.</td></tr>
<tr><td width="20%">GNUTLS_KP_ANY</td><td width="20%">2.5.29.37.0</td><td width="60%">The certificate is to be used for any purpose. When in a CA certificate, it
indicates that the CA is allowed to sign any kind of certificates.</td></tr>
</table>
<div class="float-caption"><p><strong>Table 4.4: </strong>Key purpose object identifiers.</p></div></div>
<p>With such modules, it is recommended to use the verification functions <a href="X509-certificate-API.html#gnutls_005fx509_005ftrust_005flist_005fverify_005fcrt2">gnutls_x509_trust_list_verify_crt2</a>,
or <a href="Core-TLS-API.html#gnutls_005fcertificate_005fverify_005fpeers">gnutls_certificate_verify_peers</a>, which allow to explicitly specify the key purpose. The
other verification functions which do not allow setting a purpose, would operate as if
<code>GNUTLS_KP_TLS_WWW_SERVER</code> was requested from the trusted authorities.
</p>
<div class="footnote">
<hr>
<h4 class="footnotes-heading">Footnotes</h4>
<h3><a name="FOOT8" href="#DOCF8">(8)</a></h3>
<p>see <a href="http://p11-glue.freedesktop.org/trust-module.html">http://p11-glue.freedesktop.org/trust-module.html</a>.</p>
</div>
<hr>
<div class="header">
<p>
Previous: <a href="Verifying-a-certificate-in-the-context-of-TLS-session.html#Verifying-a-certificate-in-the-context-of-TLS-session" accesskey="p" rel="prev">Verifying a certificate in the context of TLS session</a>, Up: <a href="X_002e509-certificates.html#X_002e509-certificates" accesskey="u" rel="up">X.509 certificates</a> [<a href="index.html#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="Function-and-Data-Index.html#Function-and-Data-Index" title="Index" rel="index">Index</a>]</p>
</div>
</body>
</html>
|
